Your Guide to CCPA: California Consumer Privacy Act

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a landmark privacy law that grants California residents enhanced rights over their personal information and imposes significant obligations on businesses handling such data. Enacted to increase transparency and accountability, the CCPA empowers consumers with rights to access, delete, and opt out of the sale of their personal information, while requiring businesses to provide clear and accessible privacy notices.

To ensure effective implementation, the California Privacy Protection Agency (CPPA) has issued detailed regulations that clarify compliance requirements, including guidelines for privacy notices, consumer rights requests, and data governance practices. These regulations, which have undergone multiple updates and public consultations, aim to balance consumer protection with practical business operations, setting a precedent for privacy legislation across the United States.

CCPA Applicability Thresholds

The CCPA establishes specific thresholds to determine which businesses are subject to its requirements. These thresholds ensure that the law applies to entities with significant data processing activities and financial resources, particularly where a substantial portion of their business derives from the sale or sharing of personal data. The law applies to entities that “do business” in California, regardless of their physical location, as long as they meet one or more of the following thresholds:

Annual Gross Revenue:

Businesses with annual gross revenues exceeding $26,625,000 USD in the preceding calendar year are subject to the law.

Volume of Personal Information Processed:

Businesses that buy, sell, or share the personal information of 100,000 or more California consumers or households annually are covered.

Revenue Derived from Data Sales or Sharing:

Businesses that derive 50% or more of their annual revenue from selling or sharing California consumers’ personal information are also subject to the law.

California Consumer Privacy Act Key Definitions

“Business”:

In addition to the qualifiers as a business provided by the applicability thresholds, the definition of business includes additional qualifications:

• Any entity that controls or is controlled by a business that meets the applicability thresholds, shares common branding, and shares consumers’ personal information.
• A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.
• Persons not covered by the applicability thresholds that voluntarily certify to the California Privacy Protection Agency that they comply with, and agree to be bound by the CCPA.

“Business Purpose”

It is defined as the use of personal information for operational purposes or other notified purposes that are reasonably necessary and proportionate to achieve the purpose for which the information was collected or processed. It also includes purposes compatible with the context in which the information was collected. Some examples include:

• Auditing related to ad impressions and compliance.
• Ensuring security and integrity.
• Debugging to identify and repair errors.
• Short-term, transient use (e.g., non-personalized advertising during a consumer’s interaction).
• Performing services on behalf of the business, such as customer service, processing transactions, or providing analytics.

“Personal Information”:

California includes a non-exhaustive list of what types of information are considered personal. Some of the most notable types of information considered personal under the CCPA are:

• Inferences drawn from personal information are used to create a profile about a consumer that reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Information that is linked or reasonably linkable to an identified or identifiable household;
• Personal information can be in any physical, digital, or abstract digital format. Abstract digital formats encompass compressed or encrypted files, metadata, or artificial intelligence systems capable of outputting personal information.

“Sensitive Information”:

Information that includes or reveals a person’s racial or ethnic origin, religious beliefs, sexual orientation, mental or physical health diagnosis, citizenship status, immigration status, and genetic or biometric data, when it is used for identification purposes. Besides these types of data, the CCPA additionally includes more types of personal information that are not commonly included by other states with comprehensive consumer privacy acts, such as:

• Consumer’s health (as a general term that could consist of diagnosis, conditions, or treatment);
• Financial information (consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account);
• Neuronal data (regardless of whether it is used for identification purposes);
• Sex live;
• Philosophical belief;
• Social security, driver’s license, state identification card, or passport number;
• Union membership, and
• Contents of a consumer’s mail, email, and text messages.

“Sell or Sale of personal information”:

The sale of personal information is defined as the exchange of data by the controller with a third party for a monetary or valuable consideration.

The definition of sale of personal data under the CCPA excludes the following disclosures:

• Mergers and acquisitions: the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.
• Disclosure directed by the consumer: the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
• Alerting of Consumer Rights: Alerting persons that the consumer has opted out of sharing their personal information or limited the use of their sensitive personal information.

“Sharing or Share”:

Under the CCPA, sharing personal information involves disclosing a consumer’s personal information to a third party for cross-context behavioral advertising, regardless of whether monetary or other valuable consideration is exchanged. This includes situations where an organization benefits even if no money changes hands. The same exclusions that apply to the “selling” or “sale” of personal information also apply to this type of “sharing.”

CCPA Consumer Rights

The CCPA grants consumers rights regarding their personal information to enhance transparency and control over data handling. These rights include knowing, accessing, deleting, correcting personal data, data portability, opting out of selling or sharing, automated decision-making, and limiting sensitive information use.

Organizations must provide at least two accessible methods for submitting requests, such as toll-free phone numbers or email addresses for online businesses. These methods should be clear, easy to understand, and user-friendly. Businesses may require reasonable authentication for information, but cannot require consumers to create an account unless one already exists. For specific rights such as the rights to opt out and limit the processing of sensitive information, organizations cannot require identity verification to comply with the request.

Under the CCPA, businesses must respond to consumer requests within specific timelines: deletion, correction, or information requests within 45 days (with a possible 45-day extension if communicated), and opt-out requests within 15 business days, notifying involved third parties.

Below is a summary of the key consumer rights under the CCPA:

Right to know

Consumers have the right to request information about:

• Categories of personal information collected.
• Sources of personal information.
• Personal information is disclosed for business purposes.
• Business or commercial purposes for collecting, selling, or sharing personal information.
• Categories of third parties to whom personal information is disclosed.
• Information about the categories of personal information shared with third parties for cross-contextual behavioral advertising.

Right to Access and Data Portability

Consumers have the right to request access to specific pieces of personal information collected about them. Businesses must provide disclosures covering the 12 months preceding the request, and for data collected after January 1, 2022, disclosures beyond 12 months may be required unless impossible or disproportionately burdensome.

Consumers can request access to their personal information in a portable and readily usable format, enabling them to transfer the data to another entity.

Right to delete

Consumers can request the deletion of their personal data from a company’s data records, subject to certain exceptions (e.g., legal obligations or internal uses aligned with consumer expectations). Businesses must also notify any other third parties to whom it has shared or sold the individual’s personal information to delete the information. Each service provider must do the same with any downstream service providers.

Right to correct

Consumers can request that businesses correct inaccurate personal information. Businesses must use commercially reasonable efforts to correct the data and instruct service providers and contractors to do the same.

Right to opt out of the sale and sharing

Consumers can opt out of the sale or sharing of their personal information. Businesses must provide a clear link on their homepage titled “Do Not Sell or Share My Personal Information” and honor opt-out preference signals, such as Global Privacy Controls (GPC).

Right to opt out of automated decision-making technology¹

Consumers can opt out of ADMT when it is used to make decisions with legal or similarly significant effects, such as granting or denying financial services, employment opportunities, or access to housing.

Right to limit the use of sensitive personal information

Consumers can request businesses to limit the use of sensitive data to specific purposes, such as providing services or ensuring security, including limits on how long a company can keep sensitive personal information in its records.

Right of non-discrimination

Businesses cannot discriminate against consumers for exercising their rights under the CCPA. For example, they cannot deny goods or services or charge different prices unless the difference is reasonably related to the value of the consumer’s data.

Privacy doesn’t scale itself. Automate consent, individual rights, and risk management workflows with Privacy Studio. See how Privacy Studio streamlines compliance.

Privacy Notices

Businesses are required to provide privacy notices to ensure transparency about their data collection, use, and sharing practices. These notices must be clear, accessible, and comprehensive, enabling consumers to understand their rights and how their personal information is handled.

Notice at Collection:

Businesses must provide consumers with a privacy notice at or before the time personal information is collected. This notice must include:

• Categories of personal information collected.
• Purposes for which the information is collected or used.
• Whether the information is sold or shared.
• Categories of sensitive personal information collected and their purposes.
• The retention period for each personal and sensitive information category, or the criteria used to determine the retention period.
• A link to the business’s privacy policy.

Notice of the Right to Opt-Out of Sale/Sharing:

Businesses selling or sharing personal information must describe consumers’ right to opt out, including instructions for submitting an opt-out request (such as an interactive form for online requests or offline methods if no website exists). They must also provide clear links to an online opt-out form and their privacy policy.

These requirements apply to businesses that primarily interact with consumers through a website and those that significantly engage with consumers offline.

• Web-based businesses must have a Do Not Sell or Share My Personal Information link on their homepage. The landing page of this ‘do not sell or share’ link should either display the opt-out notice or link to the business’s privacy policy that contains the same information.
• Offline businesses (businesses that operate offline) must display a notice of the right to opt out with instructions for submitting requests. The notice should be visible as a sign where personal information is gathered or on the collection form. If information is collected over the phone, companies can inform consumers of their right to opt out and how to do so during the call.
• Businesses that do not sell consumers’ personal information are not required to provide the notice of the right to opt out. However, they must include a statement in their privacy policy confirming the business does not and will not sell personal information.

Notice of Financial Incentive

A notice must be provided when a consumer opts in to share personal information in exchange for the financial incentive, price, or service difference offered online. This notice needs to include:

• Summary of the incentive offered,
• Description of its material terms, including categories of personal information collected after opt-in, and value of the consumer’s data,
• Good-faith estimate of the value of this data,
• Instructions on how the consumer can opt in, and
• Instructions on how the consumer can opt out at any time.

Cookie chaos? Get it under control with a consent manager built for global privacy laws and local expectations. Manage cookie consent with confidence.

California Consumer Privacy Act Business Obligations

Processing of Sensitive Data

Businesses are prohibited from collecting or using consumer or sensitive PI for additional purposes incompatible with the disclosed purpose of collection or for any other subsequently disclosed purposes not previously communicated to the consumer. Furthermore, businesses are prohibited from retaining consumer or sensitive PI for longer than is reasonably necessary to achieve specific collection purposes.

Businesses must honor consumer requests to limit the use and disclosure of sensitive data for purposes other than those specified in the regulations. Sensitive data cannot be used for any purpose after receiving instructions from the business, except as written contracts permit.

Record-Keeping and Training

Organizations must retain records of consumer requests for a minimum of 24 months. Additionally, businesses that know, or should reasonably know, they handle the personal information of 10,000,000 or more consumers annually must compile and disclose consumer request metrics for the previous year by July 1 on their website through a link in their privacy policy. They must also ensure employees who handle consumer inquiries are trained in CCPA compliance.

Children Information

Businesses cannot sell or share the personal information of consumers under 16 years of age without affirmative consent. Consumers aged 13 to 16 can provide their own consent. For consumers under 13, a parent or guardian must grant consent.

Opt-Out Preference Signals

Honor opt-out preference signals, such as Global Privacy Control (GPC), in a frictionless manner.

Data Protection Assessments²

Businesses must conduct annual audits and periodic risk assessments for processing activities that significantly threaten consumers’ privacy or security.

These assessments are necessary for selling personal information, sharing personal information for cross-context behavioral advertising, and processing sensitive personal information beyond what is needed to provide goods or services.

Security

Businesses must implement reasonable security measures to protect personal information from unauthorized access, destruction, or disclosure.

Vendor and Contractor Management

Businesses must ensure that service providers and contractors comply with CCPA requirements and assist in fulfilling consumer requests.

Don’t just collect consent—command it. Orchestrate customer preferences across every brand touchpoint. Take control with Consent & Preference Manager.

CCPA Enforcement

Administrative Enforcement

The California Privacy Protection Agency can initiate an administrative enforcement action under the CCPA, holding businesses liable for an administrative fine of no more than two thousand six hundred sixty-three dollars ($2,663) for each violation, or seven thousand nine hundred eighty-eight dollars ($7,988) for each intentional violation or for violations involving the personal information of consumers whom the business, service provider, contractor, or other person has actual knowledge are under 16 years of age.

Private right of action

California allows a civil action for breaches to recover damages, request injunctive or declaratory relief, or any other relief the court deems appropriate. A consumer may bring these actions after providing a 30-day written notice identifying the alleged violations. If, after the 30-day notice, the organization cures the violation and sends a written statement indicating that the violations have been cured and that no further violations will occur, no civil actions can be initiated against the organization.

Prove it’s not just talk—show your CCPA compliance with third-party validation that builds trust with regulators, partners, and customers. Explore CCPA Validation.

California Consumer Privacy Act Regulations

The CPPA has finalized its first set of regulations (effective March 2023), but additional rulemaking is ongoing, particularly concerning automated decision-making, risk assessments, and cybersecurity audits. These draft rules are actively developing as part of the CPPA’s phased regulatory agenda, with public input being gathered and revisions underway before final adoption.

The first set of regulations primarily focuses on clarifying and operationalizing the core rights and obligations under the CCPA, amended by the CPRA. The key areas covered under the regulations include the processes for handling consumer requests, notice and transparency obligations, opt-out mechanisms, including Global Privacy Control (GPC), limited use of sensitive personal information, contractual requirements for service providers, contractors, and third parties, and user experience and dark patterns.

Practical CCPA Compliance Steps

1. Conduct a data inventory to understand what personal and sensitive personal information you collect, use, share, and store.
2. Identify data sources, third-party recipients, processing purposes, and retention periods.
3. Implement robust data minimization practices to ensure compliance with proportionality requirements.
4. Implement mechanisms to handle consumer requests efficiently, including secure portals and verification processes.
5. Consider using a contract management and tracking system.
6. Establish clear processes for handling consumer requests to limit the use of sensitive data and ensure service providers and contractors comply with these requests.
7. Prioritize fortifying public-facing consent and individual rights interfaces and confirm that required website links with the required wording are present (e.g., “Do Not Sell Or Share My Personal Information”).
8. Verify and monitor public-facing consent and individual rights interfaces to ensure proper implementation that meets regulatory requirements.
9. Provide clear notices regarding using cookies and tracking technologies, and include a “Do Not Sell or Share My Personal Information” link when applicable.
10. Collect the minimum information necessary to fulfill a request based on the type of request received.
11. Ensure compliance with opt-out preference signals like GPC.
12. Obtain affirmative consent for processing personal information of minors under 16 years of age.
13. Apply reasonable and appropriate safeguards to protect personal and sensitive information.
14. Train staff on consumer rights and establish clear policies for responding to requests.
15. Regularly review and update privacy policies to reflect CCPA requirements.
16. Regularly review contracts with service providers to ensure compliance with CCPA requirements.
17. Keep records of consumer rights requests and responses for at least 24 months.
18. Maintain documentation to demonstrate compliance with legal and regulatory requirements.

 

¹As of May 2025, the California Privacy Protection Agency (CPPA) is currently in the process of rulemaking for Automated Decision Making Technologies.

²As of May 2025, the California Privacy Protection Agency (CPPA) is currently in the process of rulemaking for Risk Assessments.